Client can't negotiate with TLS 1.0 and 1.1
Maxim Dounin
mdounin at mdounin.ru
Wed Aug 24 20:44:39 UTC 2022
Hello!
On Wed, Aug 24, 2022 at 05:22:10PM -0300, Fabiano Furtado Pessoa Coelho wrote:
> I'm using NGINX 1.22.0 with OpenSSL 3.0.5 in a Linux x86_64 server
> with one NIC and 2 IPs, with the following config:
>
> * config based on
> https://ssl-config.mozilla.org/#server=nginx&version=1.22.0&config=intermediate&openssl=3.0.5&guideline=5.6
>
> 1st) IP 10.0.0.1 with intermediate config (only TLS 1.2 and 1.3 enabled):
>
> server {
> listen 10.0.0.1:443 ssl http2;
> server_name secure.example.com;
[...]
> 2nd) IP 10.0.0.2 with old config (TLS 1.0 through 1.3 enabled):
>
> server {
> listen 10.0.0.2:443 ssl http2;
> server_name insecure.example.com;
[...]
> $ netstat -nlpt | grep nginx | sort
> tcp 0 0 10.0.0.1:443 0.0.0.0:* LISTEN
> 1337/nginx: master p
> tcp 0 0 10.0.0.2:443 0.0.0.0:* LISTEN
> 1337/nginx: master p
>
>
> Trying TLS 1.0:
>
> $ openssl s_client -connect insecure.example.com:443 -tls1
> CONNECTED(00000003)
> 00FCC7F5507F0000:error:0A00042E:SSL routines:ssl3_read_bytes:tlsv1
> alert protocol version:ssl/record/rec_layer_s3.c:1584:SSL alert number
> 70
[...]
What's the IP address of "insecure.example.com" in your tests?
What happens when you test with IP addresses you've configured,
10.0.0.1 and 10.0.0.2, rather than names?
--
Maxim Dounin
http://mdounin.ru/
More information about the nginx
mailing list